How to Securely Access OCI Object Storage Using Private Endpoints

 ✍ Introduction

When using Oracle Cloud Infrastructure (OCI), securing your data and controlling how it’s accessed is essential. One way to achieve this is by using OCI Object Storage private endpoints, which ensure that your data stays within OCI’s private network without using the public internet. 

This blog explains what private endpoints are, their benefits, and how to set them up using the OCI Console. We’ll also explain how access was handled before and how private endpoints offer improved security and control.

✅ How Access Was Handled Before Using Private Endpoints

Before private endpoints were available, OCI users could access Object Storage in one of two ways:

Through a Service Gateway

A Service Gateway allows resources inside your VCN to access OCI services like Object Storage without going through the public internet. Even though the traffic doesn’t leave OCI’s cloud, it’s still routed through OCI’s shared infrastructure.

Public Buckets via the Internet

If the bucket was public or the network didn’t have a service gateway configured, applications could access Object Storage over the internet using public endpoints. This method exposes your storage to broader access risks and internet traffic.

✅ What’s Different with OCI Object Storage Private Endpoints

Private endpoints build on the idea of private access but go further by giving you full control over where traffic flows and who can access it:

• Traffic stays within your VCN’s subnet, not OCI’s shared service infrastructure.

• You can create custom endpoints with your own DNS prefix and namespace for easy access.

• You decide which buckets, namespaces, and compartments are accessible, making it more secure than both service gateways and public endpoints.

• Private endpoints offer dedicated bandwidth up to 25 Gbps, ensuring faster data transfers.

This makes private endpoints the preferred choice for organizations that want secure object storage access, cloud data privacy, and performance optimization in OCI.

In the above diagram, whoever wants to access the Object storage can access it via the vnic in the private subnet. The vnic will receive one IP from the subnet 10.3.0.0/24

✅ Limits You Should Know About Private Endpoints

OCI imposes some limits to ensure efficient management and scalability:

• Up to 10 private endpoints per tenancy.

• Up to 10 access targets per private endpoint.

• Maximum bandwidth of 25 Gbps per endpoint.

These limits help maintain performance while giving you flexibility to structure your network access.

✅ How Private Endpoints Work

When you create a private endpoint, OCI:

1. Creates a virtual network interface (VNIC) inside the chosen subnet.

2. Sets up a custom endpoint URL using the DNS prefix and namespace you specify.

3. Resolves the endpoint to the private IP if your DNS resolver is within the VCN or to a public IP if resolved from outside.

This ensures that your application’s access to Object Storage stays secure and under your control.

✅ How to Create a Private Endpoint (Step-by-Step)

🔹 Step 1 – Create the Private Endpoint

Enter a name, choose a unique DNS prefix, select the correct VCN and subnet.

🔹 Step 2 – Add Access Targets

Specify the namespace, compartment, and bucket. Use wildcards only when necessary.

🔹 Final Setup

OCI will create a VNIC and a custom endpoint for your Object Storage access.

 Testing the Setup

Launch a compute instance in the private subnet and test uploading/downloading files to Object Storage via the private endpoint.

✅ Best Practices

• Use specific access targets instead of wildcards where possible.
• Limit the number of endpoints and targets according to business needs.
• Regularly monitor access and permissions.
• Use OCI’s private DNS resolver for consistent private routing.
• Follow cloud security best practices for storage networking.

✅ Conclusion

With OCI Object Storage private endpoints, you get the highest level of security and control over how data is accessed and transferred. Compared to service gateways and public buckets, private endpoints offer better isolation, performance, and compliance support. This solution aligns with modern cloud security strategies and helps organizations keep their data safe while optimizing network efficiency.